1c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrompackage org.bouncycastle.jce.provider; 2c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 3c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.io.IOException; 4c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.math.BigInteger; 5c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.GeneralSecurityException; 6c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.PublicKey; 7c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertPath; 8c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertPathBuilder; 9c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertPathBuilderException; 10c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertPathValidatorException; 11c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertificateExpiredException; 12c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertificateNotYetValidException; 13c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.PKIXCertPathChecker; 14c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.X509CRL; 15c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.X509Certificate; 16c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.X509Extension; 17c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.ArrayList; 18c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.Collection; 19c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.Date; 20c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.Enumeration; 21c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.HashMap; 22c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.HashSet; 23c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.Iterator; 24c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.List; 25c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.Map; 26c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.Set; 27c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.util.Vector; 28c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 29c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport javax.security.auth.x500.X500Principal; 30c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 314c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport org.bouncycastle.asn1.ASN1Encodable; 32c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.ASN1EncodableVector; 33c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.ASN1InputStream; 344c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport org.bouncycastle.asn1.ASN1Primitive; 35c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.ASN1Sequence; 36c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.ASN1TaggedObject; 37c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERInteger; 38c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERObjectIdentifier; 39c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERSequence; 40c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.BasicConstraints; 41c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLDistPoint; 42c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLReason; 43c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPoint; 44c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPointName; 45c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralName; 46c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralNames; 47c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralSubtree; 48c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.IssuingDistributionPoint; 49c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.NameConstraints; 50c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.PolicyInformation; 51c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.X509Extensions; 52c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.X509Name; 53c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.jce.exception.ExtCertPathValidatorException; 54c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.util.Arrays; 55c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXBuilderParameters; 56c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXParameters; 57c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CRLStoreSelector; 58c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CertStoreSelector; 59c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 60c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrompublic class RFC3280CertPathUtilities 61c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom{ 626e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom private static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); 63c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 64c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 65c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If the complete CRL includes an issuing distribution point (IDP) CRL 66c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * extension check the following: 67c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p/> 68c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * (i) If the distribution point name is present in the IDP CRL extension 69c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * and the distribution field is present in the DP, then verify that one of 70c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * the names in the IDP matches one of the names in the DP. If the 71c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * distribution point name is present in the IDP CRL extension and the 72c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * distribution field is omitted from the DP, then verify that one of the 73c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * names in the IDP matches one of the names in the cRLIssuer field of the 74c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * DP. 75c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 76c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p/> 77c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL 78c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * extension, verify that the certificate does not include the basic 79c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * constraints extension with the cA boolean asserted. 80c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 81c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p/> 82c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL 83c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * extension, verify that the certificate includes the basic constraints 84c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * extension with the cA boolean asserted. 85c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 86c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p/> 87c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted. 88c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 89c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 90c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param dp The distribution point. 91c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The certificate. 92c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param crl The CRL. 93c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if one of the conditions is not met or an error occurs. 94c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 95c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCRLB2( 96c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp, 97c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert, 98c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl) 99c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 100c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 101c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom IssuingDistributionPoint idp = null; 102c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 103c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 104c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, 105c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); 106c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 107c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 108c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 109c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); 110c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 111c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b) (2) (i) 112c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // distribution point name is present 113c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (idp != null) 114c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 115c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (idp.getDistributionPoint() != null) 116c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 117c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // make list of names 118c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint(); 119c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List names = new ArrayList(); 120c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 121c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpName.getType() == DistributionPointName.FULL_NAME) 122c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 123c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames(); 124c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 125c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 126c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom names.add(genNames[j]); 127c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 128c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 129c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) 130c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 131c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1EncodableVector vec = new ASN1EncodableVector(); 132c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 133c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 134c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Enumeration e = ASN1Sequence.getInstance( 135c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl) 136c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getEncoded())).getObjects(); 137c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (e.hasMoreElements()) 138c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1394c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom vec.add((ASN1Encodable)e.nextElement()); 140c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 141c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 143c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 144c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Could not read CRL issuer.", e); 145c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 146c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom vec.add(dpName.getName()); 147c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec)))); 148c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 149c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean matches = false; 150c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // verify that one of the names in the IDP matches one 151c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // of the names in the DP. 152c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getDistributionPoint() != null) 153c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 154c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dpName = dp.getDistributionPoint(); 155c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName[] genNames = null; 156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpName.getType() == DistributionPointName.FULL_NAME) 157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames = GeneralNames.getInstance(dpName.getName()).getNames(); 159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) 161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 162c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getCRLIssuer() != null) 163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames = dp.getCRLIssuer().getNames(); 165c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 166c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 167c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 168c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames = new GeneralName[1]; 169c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 170c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 171c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames[0] = new GeneralName(new X509Name( 172c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom (ASN1Sequence)ASN1Sequence.fromByteArray(CertPathValidatorUtilities 173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getEncodedIssuerPrincipal(cert).getEncoded()))); 174c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 175c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 176c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 177c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Could not read certificate issuer.", e); 178c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 179c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 180c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 181c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1824c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects(); 183c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1EncodableVector vec = new ASN1EncodableVector(); 184c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (e.hasMoreElements()) 185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1864c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom vec.add((ASN1Encodable)e.nextElement()); 187c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 188c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom vec.add(dpName.getName()); 189c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames[j] = new GeneralName(new X509Name(new DERSequence(vec))); 190c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 191c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 192c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames != null) 193c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 194c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 195c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 196c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (names.contains(genNames[j])) 197c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 198c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches = true; 199c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 201c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!matches) 204c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 206c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); 207c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 208c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // verify that one of the names in 210c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // the IDP matches one of the names in the cRLIssuer field of 211c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // the DP 212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 213c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 214c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getCRLIssuer() == null) 215c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 216c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " 217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom + "be contained in DistributionPoint."); 218c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 219c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName[] genNames = dp.getCRLIssuer().getNames(); 220c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 221c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 222c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (names.contains(genNames[j])) 223c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 224c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches = true; 225c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 226c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 227c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 228c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!matches) 229c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 230c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); 232c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 233c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 234c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 235c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BasicConstraints bc = null; 236c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 238c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension)cert, 239c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BASIC_CONSTRAINTS)); 240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 241c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 242c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 243c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Basic constraints extension could not be decoded.", e); 244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 245c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 246c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b) (2) (ii) 249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) 250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("CA Cert CRL only contains user certificates."); 252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b) (2) (iii) 255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) 256c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 257c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("End CRL only contains CA certificates."); 258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 260c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b) (2) (iv) 262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (idp.onlyContainsAttributeCerts()) 263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 264c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted."); 265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 266c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 269c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If the DP includes cRLIssuer, then verify that the issuer field in the 271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * complete CRL matches cRLIssuer in the DP and that the complete CRL 272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * contains an issuing distribution point extension with the indirectCRL 273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * boolean asserted. Otherwise, verify that the CRL issuer matches the 274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate issuer. 275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 276c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param dp The distribution point. 277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The certificate ot attribute certificate. 278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param crl The CRL for <code>cert</code>. 279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if one of the above conditions does not apply or an error 280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * occurs. 281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCRLB1( 283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp, 284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert, 285c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl) 286c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 287c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2884c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT); 289c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean isIndirect = false; 290c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (idp != null) 291c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 292c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL()) 293c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 294c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom isIndirect = true; 295c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 296c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 297c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded(); 298c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 299c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean matchIssuer = false; 300c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getCRLIssuer() != null) 301c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 302c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName genNames[] = dp.getCRLIssuer().getNames(); 303c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 304c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 305c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames[j].getTagNo() == GeneralName.directoryName) 306c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 307c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 308c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 3094c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes)) 310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matchIssuer = true; 312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 313c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL issuer information from distribution point cannot be decoded.", e); 318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 319c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 320c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 321c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (matchIssuer && !isIndirect) 322c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 323c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect."); 324c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 325c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!matchIssuer) 326c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 327c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point."); 328c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 329c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 330c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 331c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 332c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals( 333c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert))) 334c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 335c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matchIssuer = true; 336c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 337c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 338c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!matchIssuer) 339c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 340c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot find matching CRL issuer for certificate."); 341c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 342c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 343c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 344c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static ReasonsMask processCRLD( 345c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl, 346c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp) 347c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 348c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 349c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom IssuingDistributionPoint idp = null; 350c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 351c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 352c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, 353c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); 354c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 355c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 356c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 357c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); 358c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 359c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) (1) 360c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null) 361c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 3624c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons())); 363c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 364c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) (4) 365c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null) 366c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 367c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ReasonsMask.allReasons; 368c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 369c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) (2) and (d)(3) 370c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return (dp.getReasons() == null 371c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ? ReasonsMask.allReasons 3724c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom : new ReasonsMask(dp.getReasons())).intersect(idp == null 373c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ? ReasonsMask.allReasons 3744c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom : new ReasonsMask(idp.getOnlySomeReasons())); 375c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 376c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 377c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 378c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String CERTIFICATE_POLICIES = X509Extensions.CertificatePolicies.getId(); 379c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 380c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String POLICY_MAPPINGS = X509Extensions.PolicyMappings.getId(); 381c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 382c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String INHIBIT_ANY_POLICY = X509Extensions.InhibitAnyPolicy.getId(); 383c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 384c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String ISSUING_DISTRIBUTION_POINT = X509Extensions.IssuingDistributionPoint.getId(); 385c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 386c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String FRESHEST_CRL = X509Extensions.FreshestCRL.getId(); 387c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 388c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String DELTA_CRL_INDICATOR = X509Extensions.DeltaCRLIndicator.getId(); 389c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 390c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String POLICY_CONSTRAINTS = X509Extensions.PolicyConstraints.getId(); 391c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 392c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String BASIC_CONSTRAINTS = X509Extensions.BasicConstraints.getId(); 393c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 394c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints.getId(); 395c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 396c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId(); 397c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 398c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String NAME_CONSTRAINTS = X509Extensions.NameConstraints.getId(); 399c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 400c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String AUTHORITY_KEY_IDENTIFIER = X509Extensions.AuthorityKeyIdentifier.getId(); 401c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 402c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String KEY_USAGE = X509Extensions.KeyUsage.getId(); 403c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 404c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String CRL_NUMBER = X509Extensions.CRLNumber.getId(); 405c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 406c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String ANY_POLICY = "2.5.29.32.0"; 407c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 408c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 409c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * key usage bits 410c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 411c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final int KEY_CERT_SIGN = 5; 412c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 413c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final int CRL_SIGN = 6; 414c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 415c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 416c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Obtain and validate the certification path for the complete CRL issuer. 417c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If a key usage extension is present in the CRL issuer's certificate, 418c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * verify that the cRLSign bit is set. 419c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 420c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param crl CRL which contains revocation information for the certificate 421c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>cert</code>. 422c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The attribute certificate or certificate to check if it is 423c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * revoked. 424c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. 425c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param defaultCRLSignKey The public key of the issuer certificate 426c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>defaultCRLSignCert</code>. 427c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param paramsPKIX paramsPKIX PKIX parameters. 428c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certPathCerts The certificates on the certification path. 429c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Set</code> with all keys of possible CRL issuer 430c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificates. 431c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or 432c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * some error occurs. 433c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 434c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set processCRLF( 435c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl, 436c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert, 437c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate defaultCRLSignCert, 438c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey defaultCRLSignKey, 439c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, 440c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certPathCerts) 441c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 442c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 443c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (f) 444c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 445c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // get issuer from CRL 446c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CertStoreSelector selector = new X509CertStoreSelector(); 447c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 448c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 449c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] issuerPrincipal = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded(); 450c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom selector.setSubject(issuerPrincipal); 451c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 452c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 453c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 454c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 455c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e); 456c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 457c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 458c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // get CRL signing certs 459c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Collection coll; 460c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 461c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 462c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getStores()); 463c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getAdditionalStores())); 464c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores())); 465c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 466c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 467c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 468c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e); 469c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 470c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 471c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom coll.add(defaultCRLSignCert); 472c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 473c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator cert_it = coll.iterator(); 474c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 475c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List validCerts = new ArrayList(); 476c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List validKeys = new ArrayList(); 477c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 478c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (cert_it.hasNext()) 479c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 480c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate signingCert = (X509Certificate)cert_it.next(); 481c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 482c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 483c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CA of the certificate, for which this CRL is checked, has also 484c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * signed CRL, so skip the path validation, because is already done 485c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 486c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (signingCert.equals(defaultCRLSignCert)) 487c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 488c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validCerts.add(signingCert); 489c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validKeys.add(defaultCRLSignKey); 490c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom continue; 491c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 492c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 493c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 4946e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); 495c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom selector = new X509CertStoreSelector(); 496c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom selector.setCertificate(signingCert); 497c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters temp = (ExtendedPKIXParameters)paramsPKIX.clone(); 498c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom temp.setTargetCertConstraints(selector); 499c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters)ExtendedPKIXBuilderParameters 500c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getInstance(temp); 501c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 502c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if signingCert is placed not higher on the cert path a 503c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * dependency loop results. CRL for cert is checked, but 504c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * signingCert is needed for checking the CRL which is dependent 505c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * on checking cert because it is higher in the cert path and so 506c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * signing signingCert transitively. so, revocation is disabled, 507c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * forgery attacks of the CRL are detected in this outer loop 508c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * for all other it must be enabled to prevent forgery attacks 509c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 510c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certPathCerts.contains(signingCert)) 511c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 512c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom params.setRevocationEnabled(false); 513c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 514c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 515c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 516c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom params.setRevocationEnabled(true); 517c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 518c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = builder.build(params).getCertPath().getCertificates(); 519c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validCerts.add(signingCert); 520c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0)); 521c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 522c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathBuilderException e) 523c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 524c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Internal error.", e); 525c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 526c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException e) 527c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 528c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e); 529c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 530c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 531c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 532c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new RuntimeException(e.getMessage()); 533c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 534c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 535c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 536c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set checkKeys = new HashSet(); 537c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 538c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom AnnotatedException lastException = null; 539c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = 0; i < validCerts.size(); i++) 540c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 541c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate signCert = (X509Certificate)validCerts.get(i); 542c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean[] keyusage = signCert.getKeyUsage(); 543c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 544c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) 545c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 546c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = new AnnotatedException( 547c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Issuer certificate key usage extension does not permit CRL signing."); 548c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 549c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 550c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 551c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom checkKeys.add(validKeys.get(i)); 552c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 553c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 554c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 555c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (checkKeys.isEmpty() && lastException == null) 556c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 557c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot find a valid issuer certificate."); 558c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 559c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (checkKeys.isEmpty() && lastException != null) 560c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 561c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw lastException; 562c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 563c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 564c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return checkKeys; 565c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 566c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 567c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PublicKey processCRLG( 568c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl, 569c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set keys) 570c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 571c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 572c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Exception lastException = null; 573c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (Iterator it = keys.iterator(); it.hasNext();) 574c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 575c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey key = (PublicKey)it.next(); 576c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 577c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 578c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crl.verify(key); 579c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return key; 580c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 581c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 582c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 583c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = e; 584c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 585c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 586c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot verify CRL.", lastException); 587c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 588c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 589c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static X509CRL processCRLH( 590c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set deltacrls, 591c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey key) 592c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 593c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 594c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Exception lastException = null; 595c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 596c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (Iterator it = deltacrls.iterator(); it.hasNext();) 597c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 598c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl = (X509CRL)it.next(); 599c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 600c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 601c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crl.verify(key); 602c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return crl; 603c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 604c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 605c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 606c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = e; 607c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 608c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 609c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 610c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (lastException != null) 611c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 612c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot verify delta CRL.", lastException); 613c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 614c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return null; 615c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 616c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 617c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set processCRLA1i( 618c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date currentDate, 619c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, 620c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 621c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl) 622c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 623c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 624c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set set = new HashSet(); 625c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.isUseDeltasEnabled()) 626c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 627c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CRLDistPoint freshestCRL = null; 628c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 629c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 630c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom freshestCRL = CRLDistPoint 631c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getInstance(CertPathValidatorUtilities.getExtensionValue(cert, FRESHEST_CRL)); 632c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 633c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 634c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 635c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Freshest CRL extension could not be decoded from certificate.", e); 636c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 637c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (freshestCRL == null) 638c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 639c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 640c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 641c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom freshestCRL = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, 642c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom FRESHEST_CRL)); 643c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 644c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 645c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 646c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Freshest CRL extension could not be decoded from CRL.", e); 647c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 648c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 649c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (freshestCRL != null) 650c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 651c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 652c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 653c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(freshestCRL, paramsPKIX); 654c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 655c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 656c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 657c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 658c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "No new delta CRL locations could be added from Freshest CRL extension.", e); 659c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 660c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // get delta CRL(s) 661c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 662c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 663c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom set.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl)); 664c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 665c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 666c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 667c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Exception obtaining delta CRLs.", e); 668c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 669c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 670c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 671c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return set; 672c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 673c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 674c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set[] processCRLA1ii( 675c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date currentDate, 676c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, 677c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 678c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl) 679c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 680c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 681c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set deltaSet = new HashSet(); 682c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); 683c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCertificateChecking(cert); 684c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 685c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 686c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 687c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.addIssuerName(crl.getIssuerX500Principal().getEncoded()); 688c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 689c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 690c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 691c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot extract issuer from CRL." + e, e); 692c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 693c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 694c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCompleteCRLEnabled(true); 6956e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom Set completeSet = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate); 696c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 697c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.isUseDeltasEnabled()) 698c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 699c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // get delta CRL(s) 700c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 701c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 702c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSet.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl)); 703c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 704c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 705c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 706c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Exception obtaining delta CRLs.", e); 707c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 708c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 709c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return new Set[] 710c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 711c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom completeSet, 712c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSet}; 713c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 714c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 7156e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 7166e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 717c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 718c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If use-deltas is set, verify the issuer and scope of the delta CRL. 719c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 720c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param deltaCRL The delta CRL. 721c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param completeCRL The complete CRL. 722c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param pkixParams The PKIX paramaters. 723c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs. 724c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 725c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCRLC( 726c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL deltaCRL, 727c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL completeCRL, 728c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 729c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 730c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 731c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (deltaCRL == null) 732c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 733c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return; 734c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 735c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom IssuingDistributionPoint completeidp = null; 736c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 737c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 738c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom completeidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue( 739c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom completeCRL, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); 740c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 741c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 742c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 743c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); 744c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 745c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 746c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pkixParams.isUseDeltasEnabled()) 747c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 748c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (c) (1) 749c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!deltaCRL.getIssuerX500Principal().equals(completeCRL.getIssuerX500Principal())) 750c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 751c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Complete CRL issuer does not match delta CRL issuer."); 752c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 753c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 754c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (c) (2) 755c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom IssuingDistributionPoint deltaidp = null; 756c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 757c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 758c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue( 759c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaCRL, ISSUING_DISTRIBUTION_POINT)); 760c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 761c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 762c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 763c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 764c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Issuing distribution point extension from delta CRL could not be decoded.", e); 765c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 766c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 767c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean match = false; 768c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (completeidp == null) 769c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 770c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (deltaidp == null) 771c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 772c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom match = true; 773c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 774c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 775c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 776c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 777c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (completeidp.equals(deltaidp)) 778c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 779c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom match = true; 780c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 781c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 782c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!match) 783c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 784c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 785c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Issuing distribution point extension from delta CRL and complete CRL does not match."); 786c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 787c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 788c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (c) (3) 7894c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ASN1Primitive completeKeyIdentifier = null; 790c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 791c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 792c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom completeKeyIdentifier = CertPathValidatorUtilities.getExtensionValue( 793c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom completeCRL, AUTHORITY_KEY_IDENTIFIER); 794c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 795c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 796c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 797c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 798c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Authority key identifier extension could not be extracted from complete CRL.", e); 799c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 800c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 8014c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ASN1Primitive deltaKeyIdentifier = null; 802c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 803c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 804c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaKeyIdentifier = CertPathValidatorUtilities.getExtensionValue( 805c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaCRL, AUTHORITY_KEY_IDENTIFIER); 806c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 807c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 808c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 809c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 810c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Authority key identifier extension could not be extracted from delta CRL.", e); 811c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 812c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 813c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (completeKeyIdentifier == null) 814c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 815c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("CRL authority key identifier is null."); 816c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 817c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 818c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (deltaKeyIdentifier == null) 819c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 820c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Delta CRL authority key identifier is null."); 821c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 822c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 823c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!completeKeyIdentifier.equals(deltaKeyIdentifier)) 824c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 825c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 826c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Delta CRL authority key identifier does not match complete CRL authority key identifier."); 827c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 828c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 829c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 830c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 831c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCRLI( 832c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date validDate, 833c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL deltacrl, 834c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert, 835c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStatus certStatus, 836c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 837c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 838c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 839c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pkixParams.isUseDeltasEnabled() && deltacrl != null) 840c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 841c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.getCertStatus(validDate, deltacrl, cert, certStatus); 842c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 843c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 844c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 845c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCRLJ( 846c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date validDate, 847c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL completecrl, 848c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert, 849c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStatus certStatus) 850c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 851c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 852c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certStatus.getCertStatus() == CertStatus.UNREVOKED) 853c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 854c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.getCertStatus(validDate, completecrl, cert, certStatus); 855c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 856c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 857c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 858c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PKIXPolicyNode prepareCertB( 859c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 860c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 861c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List[] policyNodes, 862c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode validPolicyTree, 863c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int policyMapping) 864c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 865c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 866c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 867c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 868c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int n = certs.size(); 869c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // i as defined in the algorithm description 870c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int i = n - index; 871c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b) 872c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 873c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence pm = null; 874c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 875c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 876c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 877c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.POLICY_MAPPINGS)); 878c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 879c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException ex) 880c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 881c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded.", ex, certPath, 882c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 883c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 884c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _validPolicyTree = validPolicyTree; 885c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pm != null) 886c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 887c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence mappings = (ASN1Sequence)pm; 888c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Map m_idp = new HashMap(); 889c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set s_idp = new HashSet(); 890c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 891c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < mappings.size(); j++) 892c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 893c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence mapping = (ASN1Sequence)mappings.getObjectAt(j); 894c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String id_p = ((DERObjectIdentifier)mapping.getObjectAt(0)).getId(); 895c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String sd_p = ((DERObjectIdentifier)mapping.getObjectAt(1)).getId(); 896c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set tmp; 897c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 898c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!m_idp.containsKey(id_p)) 899c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 900c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom tmp = new HashSet(); 901c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom tmp.add(sd_p); 902c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom m_idp.put(id_p, tmp); 903c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom s_idp.add(id_p); 904c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 905c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 906c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 907c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom tmp = (Set)m_idp.get(id_p); 908c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom tmp.add(sd_p); 909c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 910c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 911c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 912c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it_idp = s_idp.iterator(); 913c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it_idp.hasNext()) 914c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 915c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String id_p = (String)it_idp.next(); 916c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 917c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 918c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (1) 919c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 920c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (policyMapping > 0) 921c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 922c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean idp_found = false; 923c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator nodes_i = policyNodes[i].iterator(); 924c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (nodes_i.hasNext()) 925c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 926c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 927c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (node.getValidPolicy().equals(id_p)) 928c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 929c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom idp_found = true; 930c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom node.expectedPolicies = (Set)m_idp.get(id_p); 931c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 932c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 933c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 934c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 935c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!idp_found) 936c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 937c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nodes_i = policyNodes[i].iterator(); 938c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (nodes_i.hasNext()) 939c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 940c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 941c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(node.getValidPolicy())) 942c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 943c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set pq = null; 944c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence policies = null; 945c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 946c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 947c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom policies = (ASN1Sequence)CertPathValidatorUtilities.getExtensionValue(cert, 948c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.CERTIFICATE_POLICIES); 949c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 950c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 951c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 952c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 953c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Certificate policies extension could not be decoded.", e, certPath, index); 954c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 955c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Enumeration e = policies.getObjects(); 956c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (e.hasMoreElements()) 957c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 958c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PolicyInformation pinfo = null; 959c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 960c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 961c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pinfo = PolicyInformation.getInstance(e.nextElement()); 962c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 963c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception ex) 964c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 965c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException( 966c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Policy information could not be decoded.", ex, certPath, index); 967c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 968c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) 969c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 970c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 971c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 972c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pq = CertPathValidatorUtilities 973c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getQualifierSet(pinfo.getPolicyQualifiers()); 974c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 975c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException ex) 976c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 977c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 978c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 979c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Policy qualifier info set could not be decoded.", ex, certPath, 980c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 981c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 982c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 983c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 984c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 985c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean ci = false; 986c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert.getCriticalExtensionOIDs() != null) 987c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 988c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ci = cert.getCriticalExtensionOIDs().contains( 989c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.CERTIFICATE_POLICIES); 990c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 991c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 992c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 993c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(p_node.getValidPolicy())) 994c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 995c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set)m_idp 996c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .get(id_p), p_node, pq, id_p, ci); 997c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom p_node.addChild(c_node); 998c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom policyNodes[i].add(c_node); 999c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1000c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 1001c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1002c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1003c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1004c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1005c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1006c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (2) 1007c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1008c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1009c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (policyMapping <= 0) 1010c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1011c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator nodes_i = policyNodes[i].iterator(); 1012c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (nodes_i.hasNext()) 1013c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1014c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 1015c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (node.getValidPolicy().equals(id_p)) 1016c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1017c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 1018c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom p_node.removeChild(node); 1019c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nodes_i.remove(); 1020c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int k = (i - 1); k >= 0; k--) 1021c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1022c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List nodes = policyNodes[k]; 1023c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int l = 0; l < nodes.size(); l++) 1024c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1025c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l); 1026c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!node2.hasChildren()) 1027c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1028c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _validPolicyTree = CertPathValidatorUtilities.removePolicyNode( 1029c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _validPolicyTree, policyNodes, node2); 1030c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (_validPolicyTree == null) 1031c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1032c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 1033c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1034c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1035c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1036c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1037c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1038c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1039c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1040c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1041c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1042c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return _validPolicyTree; 1043c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1044c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1045c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void prepareNextCertA( 1046c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1047c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index) 1048c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1049c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1050c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1051c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1052c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1053c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1054c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) check the policy mappings 1055c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1056c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence pm = null; 1057c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1058c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1059c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1060c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.POLICY_MAPPINGS)); 1061c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1062c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException ex) 1063c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1064c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded.", ex, certPath, 1065c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 1066c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1067c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pm != null) 1068c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1069c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence mappings = pm; 1070c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1071c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < mappings.size(); j++) 1072c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1073c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERObjectIdentifier issuerDomainPolicy = null; 1074c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERObjectIdentifier subjectDomainPolicy = null; 1075c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1076c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1077c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence mapping = DERSequence.getInstance(mappings.getObjectAt(j)); 1078c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1079c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuerDomainPolicy = DERObjectIdentifier.getInstance(mapping.getObjectAt(0)); 1080c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom subjectDomainPolicy = DERObjectIdentifier.getInstance(mapping.getObjectAt(1)); 1081c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1082c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1083c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1084c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy mappings extension contents could not be decoded.", 1085c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e, certPath, index); 1086c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1087c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1088c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(issuerDomainPolicy.getId())) 1089c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1090c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1091c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("IssuerDomainPolicy is anyPolicy", null, certPath, index); 1092c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1093c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1094c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(subjectDomainPolicy.getId())) 1095c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1096c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1097c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("SubjectDomainPolicy is anyPolicy,", null, certPath, index); 1098c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1099c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1100c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1101c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1102c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1103c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCertF( 1104c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1105c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1106c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode validPolicyTree, 1107c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int explicitPolicy) 1108c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1109c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1110c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1111c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (f) 1112c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1113c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (explicitPolicy <= 0 && validPolicyTree == null) 1114c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1115c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("No valid policy tree found when one expected.", null, certPath, 1116c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 1117c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1118c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1119c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1120c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PKIXPolicyNode processCertE( 1121c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1122c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1123c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode validPolicyTree) 1124c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1125c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1126c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1127c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1128c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1129c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (e) 1130c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1131c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence certPolicies = null; 1132c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1133c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1134c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1135c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.CERTIFICATE_POLICIES)); 1136c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1137c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1138c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1139c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", 1140c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e, certPath, index); 1141c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certPolicies == null) 1143c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1144c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validPolicyTree = null; 1145c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1146c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return validPolicyTree; 1147c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1148c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1149c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCertBC( 1150c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1151c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1152c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXNameConstraintValidator nameConstraintValidator) 1153c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1154c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1155c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int n = certs.size(); 1158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // i as defined in the algorithm description 1159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int i = n - index; 1160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b), (c) permitted and excluded subtree checking. 1162c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(CertPathValidatorUtilities.isSelfIssued(cert) && (i < n))) 1164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1165c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal principal = CertPathValidatorUtilities.getSubjectPrincipal(cert); 1166c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1InputStream aIn = new ASN1InputStream(principal.getEncoded()); 1167c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence dns; 1168c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1169c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1170c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1171c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dns = DERSequence.getInstance(aIn.readObject()); 1172c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1174c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1175c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("Exception extracting subject name when checking subtrees.", e, 1176c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 1177c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1178c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1179c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1180c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1181c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.checkPermittedDN(dns); 1182c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.checkExcludedDN(dns); 1183c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1184c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (PKIXNameConstraintValidatorException e) 1185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1186c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("Subtree check for certificate subject failed.", e, certPath, 1187c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 1188c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1189c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1190c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralNames altName = null; 1191c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1192c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1193c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom altName = GeneralNames.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1194c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME)); 1195c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1196c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1197c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1198c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("Subject alternative name extension could not be decoded.", e, 1199c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 1200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1201c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Vector emails = new X509Name(dns).getValues(X509Name.EmailAddress); 1202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (Enumeration e = emails.elements(); e.hasMoreElements();) 1203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1204c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String email = (String)e.nextElement(); 1205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName emailAsGeneralName = new GeneralName(GeneralName.rfc822Name, email); 1206c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1207c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1208c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.checkPermitted(emailAsGeneralName); 1209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.checkExcluded(emailAsGeneralName); 1210c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1211c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (PKIXNameConstraintValidatorException ex) 1212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1213c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException( 1214c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Subtree check for certificate subject alternative email failed.", ex, certPath, index); 1215c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1216c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (altName != null) 1218c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1219c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName[] genNames = null; 1220c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1221c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1222c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames = altName.getNames(); 1223c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1224c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1225c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1226c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("Subject alternative name contents could not be decoded.", e, 1227c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 1228c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1229c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 1230c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1232c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1233c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1234c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.checkPermitted(genNames[j]); 1235c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.checkExcluded(genNames[j]); 1236c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (PKIXNameConstraintValidatorException e) 1238c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1239c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException( 1240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Subtree check for certificate subject alternative name failed.", e, certPath, index); 1241c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1242c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1243c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1245c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1246c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PKIXPolicyNode processCertD( 1248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set acceptablePolicies, 1251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode validPolicyTree, 1252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List[] policyNodes, 1253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int inhibitAnyPolicy) 1254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1256c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1257c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int n = certs.size(); 1259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // i as defined in the algorithm description 1260c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int i = n - index; 1261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) policy Information checking against initial policy and 1263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // policy mapping 1264c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence certPolicies = null; 1266c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1269c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.CERTIFICATE_POLICIES)); 1270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", 1274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e, certPath, index); 1275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1276c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certPolicies != null && validPolicyTree != null) 1277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) (1) 1280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Enumeration e = certPolicies.getObjects(); 1282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set pols = new HashSet(); 1283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (e.hasMoreElements()) 1285c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1286c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); 1287c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERObjectIdentifier pOid = pInfo.getPolicyIdentifier(); 1288c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1289c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pols.add(pOid.getId()); 1290c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1291c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!RFC3280CertPathUtilities.ANY_POLICY.equals(pOid.getId())) 1292c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1293c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set pq = null; 1294c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1295c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1296c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers()); 1297c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1298c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException ex) 1299c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1300c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy qualifier info set could not be build.", ex, 1301c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 1302c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1303c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1304c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean match = CertPathValidatorUtilities.processCertD1i(i, policyNodes, pOid, pq); 1305c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1306c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!match) 1307c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1308c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.processCertD1ii(i, policyNodes, pOid, pq); 1309c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1313c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (acceptablePolicies.isEmpty() || acceptablePolicies.contains(RFC3280CertPathUtilities.ANY_POLICY)) 1314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom acceptablePolicies.clear(); 1316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom acceptablePolicies.addAll(pols); 1317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1319c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1320c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it = acceptablePolicies.iterator(); 1321c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set t1 = new HashSet(); 1322c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1323c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it.hasNext()) 1324c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1325c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object o = it.next(); 1326c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1327c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pols.contains(o)) 1328c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1329c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom t1.add(o); 1330c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1331c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1332c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom acceptablePolicies.clear(); 1333c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom acceptablePolicies.addAll(t1); 1334c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1335c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1336c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1337c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) (2) 1338c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1339c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if ((inhibitAnyPolicy > 0) || ((i < n) && CertPathValidatorUtilities.isSelfIssued(cert))) 1340c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1341c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e = certPolicies.getObjects(); 1342c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1343c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (e.hasMoreElements()) 1344c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1345c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); 1346c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1347c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId())) 1348c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1349c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set _apq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers()); 1350c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List _nodes = policyNodes[i - 1]; 1351c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1352c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int k = 0; k < _nodes.size(); k++) 1353c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1354c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _node = (PKIXPolicyNode)_nodes.get(k); 1355c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1356c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator _policySetIter = _node.getExpectedPolicies().iterator(); 1357c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (_policySetIter.hasNext()) 1358c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1359c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object _tmp = _policySetIter.next(); 1360c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1361c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String _policy; 1362c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (_tmp instanceof String) 1363c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1364c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _policy = (String)_tmp; 1365c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1366c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (_tmp instanceof DERObjectIdentifier) 1367c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1368c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _policy = ((DERObjectIdentifier)_tmp).getId(); 1369c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1370c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1371c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1372c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom continue; 1373c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1374c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1375c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean _found = false; 1376c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator _childrenIter = _node.getChildren(); 1377c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1378c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (_childrenIter.hasNext()) 1379c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1380c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _child = (PKIXPolicyNode)_childrenIter.next(); 1381c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1382c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (_policy.equals(_child.getValidPolicy())) 1383c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1384c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _found = true; 1385c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1386c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1387c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1388c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!_found) 1389c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1390c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set _newChildExpectedPolicies = new HashSet(); 1391c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _newChildExpectedPolicies.add(_policy); 1392c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1393c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(), i, 1394c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _newChildExpectedPolicies, _node, _apq, _policy, false); 1395c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _node.addChild(_newChild); 1396c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom policyNodes[i].add(_newChild); 1397c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1398c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1399c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1400c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 1401c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1402c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1403c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1404c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1405c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _validPolicyTree = validPolicyTree; 1406c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1407c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) (3) 1408c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1409c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = (i - 1); j >= 0; j--) 1410c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1411c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List nodes = policyNodes[j]; 1412c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1413c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int k = 0; k < nodes.size(); k++) 1414c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1415c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); 1416c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!node.hasChildren()) 1417c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1418c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(_validPolicyTree, policyNodes, 1419c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom node); 1420c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (_validPolicyTree == null) 1421c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1422c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 1423c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1424c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1425c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1426c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1427c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1428c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1429c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // d (4) 1430c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1431c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set criticalExtensionOids = cert.getCriticalExtensionOIDs(); 1432c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1433c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (criticalExtensionOids != null) 1434c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1435c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean critical = criticalExtensionOids.contains(RFC3280CertPathUtilities.CERTIFICATE_POLICIES); 1436c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1437c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List nodes = policyNodes[i]; 1438c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < nodes.size(); j++) 1439c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1440c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(j); 1441c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom node.setCritical(critical); 1442c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1443c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1444c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return _validPolicyTree; 1445c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1446c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return null; 1447c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1448c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1449c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void processCertA( 1450c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1451c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, 1452c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1453c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey workingPublicKey, 1454c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean verificationAlreadyPerformed, 1455c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal workingIssuerName, 145660f1dce097d78928597a5d057577596162e825fdBrian Carlstrom X509Certificate sign) 1457c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws ExtCertPathValidatorException 1458c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1459c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1460c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1461c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1462c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) verify 1463c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1464c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!verificationAlreadyPerformed) 1465c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1466c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1467c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1468c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) (1) 1469c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1470c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, 1471c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom paramsPKIX.getSigProvider()); 1472c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1473c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (GeneralSecurityException e) 1474c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1475c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Could not validate certificate signature.", e, certPath, index); 1476c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1477c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1478c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1479c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1480c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1481c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) (2) 1482c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1483c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cert.checkValidity(CertPathValidatorUtilities 1484c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getValidCertDateFromValidityModel(paramsPKIX, certPath, index)); 1485c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1486c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertificateExpiredException e) 1487c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1488c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); 1489c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1490c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertificateNotYetValidException e) 1491c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1492c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); 1493c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1494c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1495c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1496c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index); 1497c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1498c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1499c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1500c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) (3) 1501c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1502c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.isRevocationEnabled()) 1503c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1504c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1505c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1506c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom checkCRLs(paramsPKIX, cert, CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, 1507c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index), sign, workingPublicKey, certs); 1508c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1509c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1510c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1511c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Throwable cause = e; 1512c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (null != e.getCause()) 1513c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1514c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cause = e.getCause(); 1515c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1516c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException(e.getMessage(), cause, certPath, index); 1517c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1518c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1519c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1520c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1521c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) (4) name chaining 1522c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1523c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).equals(workingIssuerName)) 1524c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1525c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("IssuerName(" + CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert) 1526c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null, 1527c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 1528c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1529c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1530c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1531c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertI1( 1532c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1533c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1534c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int explicitPolicy) 1535c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1536c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1537c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1538c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1539c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1540c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (i) 1541c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1542c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence pc = null; 1543c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1544c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1545c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1546c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); 1547c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1548c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1549c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1550c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy constraints extension cannot be decoded.", e, certPath, 1551c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 1552c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1553c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1554c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int tmpInt; 1555c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1556c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pc != null) 1557c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1558c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Enumeration policyConstraints = pc.getObjects(); 1559c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1560c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (policyConstraints.hasMoreElements()) 1561c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1562c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1563c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1564c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1565c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1TaggedObject constraint = ASN1TaggedObject.getInstance(policyConstraints.nextElement()); 1566c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (constraint.getTagNo() == 0) 1567c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 15686e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom tmpInt = DERInteger.getInstance(constraint, false).getValue().intValue(); 1569c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (tmpInt < explicitPolicy) 1570c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1571c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return tmpInt; 1572c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1573c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 1574c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1575c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1576c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IllegalArgumentException e) 1577c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1578c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy constraints extension contents cannot be decoded.", 1579c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e, certPath, index); 1580c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1581c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1582c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1583c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return explicitPolicy; 1584c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1585c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1586c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertI2( 1587c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1588c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1589c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int policyMapping) 1590c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1591c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1592c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1593c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1594c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1595c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (i) 1596c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1597c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence pc = null; 1598c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1599c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1600c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1601c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); 1602c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1603c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1604c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1605c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy constraints extension cannot be decoded.", e, certPath, 1606c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 1607c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1608c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1609c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int tmpInt; 1610c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1611c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pc != null) 1612c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1613c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Enumeration policyConstraints = pc.getObjects(); 1614c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1615c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (policyConstraints.hasMoreElements()) 1616c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1617c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1618c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1619c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1TaggedObject constraint = ASN1TaggedObject.getInstance(policyConstraints.nextElement()); 1620c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (constraint.getTagNo() == 1) 1621c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 16226e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom tmpInt = DERInteger.getInstance(constraint, false).getValue().intValue(); 1623c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (tmpInt < policyMapping) 1624c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1625c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return tmpInt; 1626c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1627c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 1628c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1629c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1630c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IllegalArgumentException e) 1631c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1632c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy constraints extension contents cannot be decoded.", 1633c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e, certPath, index); 1634c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1635c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1636c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1637c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return policyMapping; 1638c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1639c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1640c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void prepareNextCertG( 1641c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 1642c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 1643c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXNameConstraintValidator nameConstraintValidator) 1644c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1645c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1646c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 1647c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 1648c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1649c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) handle the name constraints extension 1650c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1651c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom NameConstraints nc = null; 1652c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1653c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1654c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence ncSeq = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1655c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.NAME_CONSTRAINTS)); 1656c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (ncSeq != null) 1657c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 16584c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom nc = NameConstraints.getInstance(ncSeq); 1659c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1660c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1661c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1662c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1663c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Name constraints extension could not be decoded.", e, certPath, 1664c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 1665c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1666c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (nc != null) 1667c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1668c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1669c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1670c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) (1) permitted subtrees 1671c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1672c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence permitted = nc.getPermittedSubtrees(); 1673c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (permitted != null) 1674c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1675c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1676c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1677c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.intersectPermittedSubtree(permitted); 1678c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1679c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception ex) 1680c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1681c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 1682c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index); 1683c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1684c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1685c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1686c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1687c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) (2) excluded subtrees 1688c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 1689c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence excluded = nc.getExcludedSubtrees(); 1690c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (excluded != null) 1691c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1692c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Enumeration e = excluded.getObjects(); 1693c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1694c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1695c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (e.hasMoreElements()) 1696c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1697c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralSubtree subtree = GeneralSubtree.getInstance(e.nextElement()); 1698c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom nameConstraintValidator.addExcludedSubtree(subtree); 1699c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1700c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1701c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception ex) 1702c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1703c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 1704c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index); 1705c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1706c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1707c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1708c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1709c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1710c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1711c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Checks a distribution point for revocation information for the 1712c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate <code>cert</code>. 1713c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1714c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param dp The distribution point to consider. 1715c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param paramsPKIX PKIX parameters. 1716c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert Certificate to check if it is revoked. 1717c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param validDate The date when the certificate revocation status should be 1718c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * checked. 1719c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. 1720c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param defaultCRLSignKey The public key of the issuer certificate 1721c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>defaultCRLSignCert</code>. 1722c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certStatus The current certificate revocation status. 1723c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param reasonMask The reasons mask which is already checked. 1724c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certPathCerts The certificates of the certification path. 1725c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if the certificate is revoked or the status cannot be checked 1726c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * or some error occurs. 1727c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1728c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom private static void checkCRL( 1729c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp, 1730c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, 1731c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 1732c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date validDate, 1733c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate defaultCRLSignCert, 1734c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey defaultCRLSignKey, 1735c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStatus certStatus, 1736c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ReasonsMask reasonMask, 1737c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certPathCerts) 1738c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1739c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1740c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date currentDate = new Date(System.currentTimeMillis()); 1741c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (validDate.getTime() > currentDate.getTime()) 1742c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1743c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Validation time is in future."); 1744c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1745c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1746c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) 1747c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 1748c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * We always get timely valid CRLs, so there is no step (a) (1). 1749c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * "locally cached" CRLs are assumed to be in getStore(), additional 1750c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CRLs must be enabled in the ExtendedPKIXParameters and are in 1751c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * getAdditionalStore() 1752c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1753c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1754c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, cert, currentDate, paramsPKIX); 1755c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean validCrlFound = false; 1756c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom AnnotatedException lastException = null; 1757c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator crl_iter = crls.iterator(); 1758c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1759c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) 1760c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1761c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1762c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1763c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl = (X509CRL)crl_iter.next(); 1764c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1765c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (d) 1766c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp); 1767c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1768c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (e) 1769c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 1770c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The reasons mask is updated at the end, so only valid CRLs 1771c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * can update it. If this CRL does not contain new reasons it 1772c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * must be ignored. 1773c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1774c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!interimReasonsMask.hasNewReasons(reasonMask)) 1775c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1776c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom continue; 1777c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1778c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1779c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (f) 1780c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set keys = RFC3280CertPathUtilities.processCRLF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, 1781c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom paramsPKIX, certPathCerts); 1782c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) 1783c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys); 1784c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1785c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL deltaCRL = null; 1786c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1787c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.isUseDeltasEnabled()) 1788c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1789c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // get delta CRLs 1790c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl); 1791c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // we only want one valid delta CRL 1792c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (h) 1793c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key); 1794c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1795c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1796c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 1797c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CRL must be be valid at the current time, not the validation 1798c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * time. If a certificate is revoked with reason keyCompromise, 1799c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * cACompromise, it can be used for forgery, also for the past. 1800c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * This reason may not be contained in older CRLs. 1801c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1802c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1803c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 1804c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * in the chain model signatures stay valid also after the 1805c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate has been expired, so they do not have to be in 1806c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * the CRL validity time 1807c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1808c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1809c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) 1810c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1811c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 1812c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if a certificate has expired, but was revoked, it is not 1813c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * more in the CRL, so it would be regarded as valid if the 1814c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * first check is not done 1815c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1816c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) 1817c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1818c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No valid CRL for current time found."); 1819c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1820c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1821c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1822c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.processCRLB1(dp, cert, crl); 1823c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1824c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b) (2) 1825c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.processCRLB2(dp, cert, crl); 1826c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1827c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (c) 1828c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX); 1829c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1830c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (i) 1831c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX); 1832c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1833c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (j) 1834c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus); 1835c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1836c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (k) 1837c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certStatus.getCertStatus() == CRLReason.removeFromCRL) 1838c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1839c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setCertStatus(CertStatus.UNREVOKED); 1840c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1841c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1842c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // update reasons mask 1843c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom reasonMask.addReasons(interimReasonsMask); 1844c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1845c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set criticalExtensions = crl.getCriticalExtensionOIDs(); 1846c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (criticalExtensions != null) 1847c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1848c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom criticalExtensions = new HashSet(criticalExtensions); 1849c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); 1850c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); 1851c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1852c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!criticalExtensions.isEmpty()) 1853c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1854c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("CRL contains unsupported critical extensions."); 1855c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1856c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1857c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1858c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (deltaCRL != null) 1859c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1860c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom criticalExtensions = deltaCRL.getCriticalExtensionOIDs(); 1861c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (criticalExtensions != null) 1862c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1863c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom criticalExtensions = new HashSet(criticalExtensions); 1864c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); 1865c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); 1866c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!criticalExtensions.isEmpty()) 1867c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1868c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Delta CRL contains unsupported critical extension."); 1869c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1870c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1871c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1872c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1873c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validCrlFound = true; 1874c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1875c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1876c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1877c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = e; 1878c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1879c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1880c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!validCrlFound) 1881c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1882c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw lastException; 1883c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1884c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1885c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1886c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1887c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Checks a certificate if it is revoked. 1888c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1889c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param paramsPKIX PKIX parameters. 1890c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert Certificate to check if it is revoked. 1891c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param validDate The date when the certificate revocation status should be 1892c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * checked. 1893c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param sign The issuer certificate of the certificate <code>cert</code>. 1894c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param workingPublicKey The public key of the issuer certificate <code>sign</code>. 1895c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certPathCerts The certificates of the certification path. 1896c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if the certificate is revoked or the status cannot be checked 1897c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * or some error occurs. 1898c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1899c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void checkCRLs( 1900c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, 1901c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 1902c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date validDate, 1903c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate sign, 1904c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey workingPublicKey, 1905c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certPathCerts) 1906c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1907c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1908c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom AnnotatedException lastException = null; 1909c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CRLDistPoint crldp = null; 1910c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1911c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1912c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 1913c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS)); 1914c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1915c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1916c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1917c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("CRL distribution point extension could not be read.", e); 1918c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1919c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1920c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1921c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX); 1922c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1923c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1924c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1925c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1926c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "No additional CRL locations could be decoded from CRL distribution point extension.", e); 1927c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1928c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStatus certStatus = new CertStatus(); 1929c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ReasonsMask reasonsMask = new ReasonsMask(); 1930c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1931c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean validCrlFound = false; 1932c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // for each distribution point 1933c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crldp != null) 1934c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1935c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dps[] = null; 1936c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1937c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1938c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dps = crldp.getDistributionPoints(); 1939c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1940c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1941c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1942c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Distribution points could not be read.", e); 1943c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1944c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dps != null) 1945c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1946c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) 1947c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1948c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters)paramsPKIX.clone(); 1949c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1950c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1951c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); 1952c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validCrlFound = true; 1953c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1954c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1955c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1956c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = e; 1957c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1958c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1959c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1960c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1961c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1962c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 1963c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If the revocation status has not been determined, repeat the process 1964c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * above with any available CRLs not specified in a distribution point 1965c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * but issued by the certificate issuer. 1966c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1967c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1968c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) 1969c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1970c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1971c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1972c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 1973c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * assume a DP with both the reasons and the cRLIssuer fields 1974c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * omitted and a distribution point name of the certificate 1975c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * issuer. 1976c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 19774c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ASN1Primitive issuer = null; 1978c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1979c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1980c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuer = new ASN1InputStream(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()) 1981c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .readObject(); 1982c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1983c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1984c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1985c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e); 1986c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1987c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames( 1988c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new GeneralName(GeneralName.directoryName, issuer))), null, null); 1989c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters)paramsPKIX.clone(); 1990c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, 1991c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPathCerts); 1992c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validCrlFound = true; 1993c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1994c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1995c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1996c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = e; 1997c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1998c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1999c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2000c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!validCrlFound) 2001c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2002c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (lastException instanceof AnnotatedException) 2003c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2004c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw lastException; 2005c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2006c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2007c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No valid CRL found.", lastException); 2008c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2009c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certStatus.getCertStatus() != CertStatus.UNREVOKED) 2010c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2011c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String message = "Certificate revocation after " + certStatus.getRevocationDate(); 2012c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom message += ", reason: " + crlReasons[certStatus.getCertStatus()]; 2013c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException(message); 2014c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2015c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) 2016c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2017c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setCertStatus(CertStatus.UNDETERMINED); 2018c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2019c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) 2020c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2021c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Certificate status could not be determined."); 2022c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2023c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2024c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2025c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertJ( 2026c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2027c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2028c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int inhibitAnyPolicy) 2029c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2030c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2031c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2032c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2033c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2034c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (j) 2035c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2036c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERInteger iap = null; 2037c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 2038c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2039c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom iap = DERInteger.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 2040c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.INHIBIT_ANY_POLICY)); 2041c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2042c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 2043c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2044c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Inhibit any-policy extension cannot be decoded.", e, certPath, 2045c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 2046c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2047c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2048c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (iap != null) 2049c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2050c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int _inhibitAnyPolicy = iap.getValue().intValue(); 2051c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2052c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (_inhibitAnyPolicy < inhibitAnyPolicy) 2053c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2054c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return _inhibitAnyPolicy; 2055c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2056c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2057c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return inhibitAnyPolicy; 2058c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2059c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2060c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void prepareNextCertK( 2061c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 206260f1dce097d78928597a5d057577596162e825fdBrian Carlstrom int index) 2063c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2064c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2065c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2066c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2067c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2068c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (k) 2069c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2070c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BasicConstraints bc = null; 2071c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 2072c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2073c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 2074c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); 2075c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2076c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 2077c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2078c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, 2079c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 2080c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2081c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (bc != null) 2082c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2083c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(bc.isCA())) 2084c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2085c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("Not a CA certificate"); 2086c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2087c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2088c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 2089c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2090c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints"); 2091c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2092c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2093c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2094c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertL( 2095c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2096c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2097c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int maxPathLength) 2098c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2099c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2100c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2101c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2102c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2103c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (l) 2104c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2105c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!CertPathValidatorUtilities.isSelfIssued(cert)) 2106c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2107c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (maxPathLength <= 0) 2108c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2109c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Max path length not greater than zero", null, certPath, index); 2110c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2111c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2112c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return maxPathLength - 1; 2113c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2114c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return maxPathLength; 2115c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2116c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2117c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertM( 2118c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2119c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2120c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int maxPathLength) 2121c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2122c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2123c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2124c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2125c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2126c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2127c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (m) 2128c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2129c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BasicConstraints bc = null; 2130c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 2131c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2132c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 2133c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); 2134c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2135c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 2136c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2137c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, 2138c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 2139c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2140c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (bc != null) 2141c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BigInteger _pathLengthConstraint = bc.getPathLenConstraint(); 2143c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2144c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (_pathLengthConstraint != null) 2145c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2146c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int _plc = _pathLengthConstraint.intValue(); 2147c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2148c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (_plc < maxPathLength) 2149c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2150c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return _plc; 2151c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2152c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2153c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2154c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return maxPathLength; 2155c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void prepareNextCertN( 2158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index) 2160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2162c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2165c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2166c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (n) 2167c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2168c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean[] _usage = cert.getKeyUsage(); 2169c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2170c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if ((_usage != null) && !_usage[RFC3280CertPathUtilities.KEY_CERT_SIGN]) 2171c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2172c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 2173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Issuer certificate keyusage extension is critical and does not permit key signing.", null, 2174c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 2175c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2176c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2177c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2178c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void prepareNextCertO( 2179c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2180c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2181c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set criticalExtensions, 2182c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List pathCheckers) 2183c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2184c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2186c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2187c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2188c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (o) 2189c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2190c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2191c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator tmpIter; 2192c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom tmpIter = pathCheckers.iterator(); 2193c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (tmpIter.hasNext()) 2194c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2195c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 2196c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2197c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); 2198c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2199c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException e) 2200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2201c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index); 2202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2204c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!criticalExtensions.isEmpty()) 2205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2206c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Certificate has unsupported critical extension.", null, certPath, 2207c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 2208c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2210c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2211c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertH1( 2212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2213c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2214c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int explicitPolicy) 2215c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2216c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2218c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2219c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (h) 2220c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2221c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!CertPathValidatorUtilities.isSelfIssued(cert)) 2222c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2223c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2224c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (1) 2225c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2226c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (explicitPolicy != 0) 2227c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2228c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return explicitPolicy - 1; 2229c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2230c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return explicitPolicy; 2232c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2233c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2234c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertH2( 2235c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2236c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int policyMapping) 2238c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2239c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2241c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2242c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (h) 2243c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!CertPathValidatorUtilities.isSelfIssued(cert)) 2245c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2246c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (2) 2248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (policyMapping != 0) 2250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return policyMapping - 1; 2252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return policyMapping; 2255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2256c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2257c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int prepareNextCertH3( 2258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2260c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int inhibitAnyPolicy) 2261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2264c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (h) 2266c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!CertPathValidatorUtilities.isSelfIssued(cert)) 2268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2269c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (3) 2271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (inhibitAnyPolicy != 0) 2273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return inhibitAnyPolicy - 1; 2275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2276c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return inhibitAnyPolicy; 2278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String[] crlReasons = new String[] 2281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "unspecified", 2283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "keyCompromise", 2284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "cACompromise", 2285c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "affiliationChanged", 2286c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "superseded", 2287c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "cessationOfOperation", 2288c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "certificateHold", 2289c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "unknown", 2290c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "removeFromCRL", 2291c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "privilegeWithdrawn", 2292c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "aACompromise"}; 2293c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2294c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int wrapupCertA( 2295c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int explicitPolicy, 2296c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert) 2297c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2298c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2299c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (a) 2300c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2301c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!CertPathValidatorUtilities.isSelfIssued(cert) && (explicitPolicy != 0)) 2302c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2303c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom explicitPolicy--; 2304c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2305c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return explicitPolicy; 2306c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2307c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2308c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static int wrapupCertB( 2309c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int explicitPolicy) 2312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2313c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (b) 2318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2319c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int tmpInt; 2320c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence pc = null; 2321c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 2322c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2323c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, 2324c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); 2325c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2326c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 2327c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 23286e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom throw new ExtCertPathValidatorException("Policy constraints could not be decoded.", e, certPath, index); 2329c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2330c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pc != null) 2331c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2332c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Enumeration policyConstraints = pc.getObjects(); 2333c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2334c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (policyConstraints.hasMoreElements()) 2335c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2336c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1TaggedObject constraint = (ASN1TaggedObject)policyConstraints.nextElement(); 2337c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom switch (constraint.getTagNo()) 2338c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2339c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom case 0: 2340c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 2341c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 23426e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom tmpInt = DERInteger.getInstance(constraint, false).getValue().intValue(); 2343c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2344c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 2345c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2346c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 23476e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom "Policy constraints requireExplicitPolicy field could not be decoded.", e, certPath, 2348c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 2349c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2350c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (tmpInt == 0) 2351c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2352c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return 0; 2353c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2354c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom break; 2355c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2356c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2357c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2358c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return explicitPolicy; 2359c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2360c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2361c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void wrapupCertF( 2362c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2363c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2364c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List pathCheckers, 2365c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set criticalExtensions) 2366c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2367c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2368c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certs = certPath.getCertificates(); 2369c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert = (X509Certificate)certs.get(index); 2370c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator tmpIter; 2371c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom tmpIter = pathCheckers.iterator(); 2372c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (tmpIter.hasNext()) 2373c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2374c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 2375c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2376c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); 2377c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2378c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException e) 2379c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2380c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Additional certificate path checker failed.", e, certPath, 2381c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 2382c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2383c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2384c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2385c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!criticalExtensions.isEmpty()) 2386c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2387c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Certificate has unsupported critical extension", null, certPath, 2388c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index); 2389c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2390c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2391c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2392c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PKIXPolicyNode wrapupCertG( 2393c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPath certPath, 2394c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, 2395c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set userInitialPolicySet, 2396c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int index, 2397c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List[] policyNodes, 2398c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode validPolicyTree, 2399c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set acceptablePolicies) 2400c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 2401c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2402c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom int n = certPath.getCertificates().size(); 2403c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2404c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) 2405c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2406c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode intersection; 2407c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2408c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2409c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) (i) 2410c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2411c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (validPolicyTree == null) 2412c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2413c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.isExplicitPolicyRequired()) 2414c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2415c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Explicit policy requested but none available.", null, 2416c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 2417c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2418c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom intersection = null; 2419c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2420c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (CertPathValidatorUtilities.isAnyPolicy(userInitialPolicySet)) // (g) 2421c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (ii) 2422c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2423c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.isExplicitPolicyRequired()) 2424c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2425c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (acceptablePolicies.isEmpty()) 2426c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2427c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Explicit policy requested but none available.", null, 2428c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certPath, index); 2429c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2430c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 2431c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2432c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set _validPolicyNodeSet = new HashSet(); 2433c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2434c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < policyNodes.length; j++) 2435c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2436c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List _nodeDepth = policyNodes[j]; 2437c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2438c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int k = 0; k < _nodeDepth.size(); k++) 2439c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2440c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); 2441c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2442c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(_node.getValidPolicy())) 2443c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2444c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator _iter = _node.getChildren(); 2445c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (_iter.hasNext()) 2446c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2447c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _validPolicyNodeSet.add(_iter.next()); 2448c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2449c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2450c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2451c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2452c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2453c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator _vpnsIter = _validPolicyNodeSet.iterator(); 2454c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (_vpnsIter.hasNext()) 2455c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2456c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); 2457c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String _validPolicy = _node.getValidPolicy(); 2458c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2459c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!acceptablePolicies.contains(_validPolicy)) 2460c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2461c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // validPolicyTree = 2462c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // removePolicyNode(validPolicyTree, policyNodes, 2463c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // _node); 2464c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2465c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2466c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (validPolicyTree != null) 2467c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2468c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = (n - 1); j >= 0; j--) 2469c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2470c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List nodes = policyNodes[j]; 2471c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2472c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int k = 0; k < nodes.size(); k++) 2473c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2474c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); 2475c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!node.hasChildren()) 2476c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2477c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validPolicyTree = CertPathValidatorUtilities.removePolicyNode(validPolicyTree, 2478c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom policyNodes, node); 2479c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2480c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2481c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2482c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2483c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2484c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2485c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2486c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom intersection = validPolicyTree; 2487c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2488c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 2489c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2490c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2491c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) (iii) 2492c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2493c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // This implementation is not exactly same as the one described in 2494c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // RFC3280. 2495c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // However, as far as the validation result is concerned, both 2496c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // produce 2497c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // adequate result. The only difference is whether AnyPolicy is 2498c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // remain 2499c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // in the policy tree or not. 2500c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2501c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) (iii) 1 2502c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2503c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set _validPolicyNodeSet = new HashSet(); 2504c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2505c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < policyNodes.length; j++) 2506c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2507c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List _nodeDepth = policyNodes[j]; 2508c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2509c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int k = 0; k < _nodeDepth.size(); k++) 2510c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2511c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); 2512c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2513c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (RFC3280CertPathUtilities.ANY_POLICY.equals(_node.getValidPolicy())) 2514c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2515c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator _iter = _node.getChildren(); 2516c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (_iter.hasNext()) 2517c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2518c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _c_node = (PKIXPolicyNode)_iter.next(); 2519c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!RFC3280CertPathUtilities.ANY_POLICY.equals(_c_node.getValidPolicy())) 2520c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2521c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom _validPolicyNodeSet.add(_c_node); 2522c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2523c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2524c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2525c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2526c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2527c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2528c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2529c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) (iii) 2 2530c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2531c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator _vpnsIter = _validPolicyNodeSet.iterator(); 2532c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (_vpnsIter.hasNext()) 2533c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2534c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); 2535c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String _validPolicy = _node.getValidPolicy(); 2536c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2537c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!userInitialPolicySet.contains(_validPolicy)) 2538c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2539c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validPolicyTree = CertPathValidatorUtilities.removePolicyNode(validPolicyTree, policyNodes, _node); 2540c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2541c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2542c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2543c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2544c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (g) (iii) 4 2545c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 2546c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (validPolicyTree != null) 2547c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2548c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = (n - 1); j >= 0; j--) 2549c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2550c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List nodes = policyNodes[j]; 2551c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2552c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int k = 0; k < nodes.size(); k++) 2553c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2554c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); 2555c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!node.hasChildren()) 2556c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 2557c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom validPolicyTree = CertPathValidatorUtilities.removePolicyNode(validPolicyTree, policyNodes, 2558c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom node); 2559c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2560c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2561c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2562c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2563c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2564c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom intersection = validPolicyTree; 2565c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2566c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return intersection; 2567c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2568c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 2569c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom} 2570